On Wed, May 10, 2017 at 18:36 +0000, jphe...@yenn.ulegend.net wrote: > Hello. > > I am trying to establish an ipsec connection in transport mode between two > hosts located in the same LAN, using PSK for authentication and ikev1 for > automatic keying. So far, my attempts have resulted in failure. > > Host A ( 192.168.1.11 ) runs OpenBSD 6.1 and uses the following > configurations: > > /etc/ipsec.conf > ike passive esp transport from 192.168.1.11 to 192.168.1.12 \ > main auth hmac-sha1 enc aes group modp1024 \ > quick auth hmac-sha1 enc aes group modp1024 \ > psk "test" > > /etc/rc.conf.local > isakmpd_flags=-K -T > ipsec=YES > > Host B ( 192.168.1.12 ) runs Knoppix 7.7.1, Strongswan 5.5.0, and uses the > following configurations: > > /etc/ipsec.conf > [...] > conn test > left=192.168.1.12 > right=192.168.1.11 > authby=secret > auto=start > type=transport > ike=aes-sha1-modp1024 > esp=aes-sha1-modp1024 > compress=no > > /etc/ipsec.secrets > 192.168.1.12 192.168.1.11 : PSK "test" > > This shows up in /var/log/messages on Host A when establishing ipsec between > both hosts is attempted: > May 10 16:57:39 server isakmpd[37746]: isakmpd: starting > May 10 16:57:58 server isakmpd[4052]: attribute_unacceptable: > ENCRYPTION_ALGORIT HM: got AES_CBC, expected 3DES_CBC > May 10 16:57:58 server isakmpd[4052]: message_negotiate_sa: no compatible > propos al found > May 10 16:57:58 server isakmpd[4052]: dropped message from 192.168.1.12 port > 500 due to notification type NO_PROPOSAL_CHOSEN > > Notice that isakmpd is expecting 3DES, when I configured the connection to > use aes at both ends. More worrysome: When I configure the Host B to use > 3DES for phase 1, isakmpd complains because it was offered PSK, but RSA_SIG > was expected! This leads me to believe that isakmpd is ignoring the > configuration parameters. > > Any help is appreciated. >
This is most likely the result of wrong file permissions on /etc/ipsec.conf. Try running "ipsecctl -vnf /etc/ipsec.conf" as root and you'll notice that file permissions need to be tightened. What happens is that your configuration doesn't get loaded and isakmpd attempts to use a default one.
